Device Data

The card issuer uses Device Data Collection (DDC) to fingerprint the customer's device.

Along with the risk data in theauthenticationrequest, it's used to decide if achallengeis needed or if the authentication can be frictionless (no challenge displayed to shopper). This step is required for the authentication to use 3DS2.

Device data initialization

POST your device data initialization request to the 3ds:deviceDataInitialize action link.

This request creates a JSON Web Token (JWT) that is used as part of the Device Data Collection (DDC) form. The DDC form also requires the first six digits of your customer's card number (BIN). The BIN can be returned if a token resource is provided, see JWT + BIN (token) request.

For consistency of integration you can also provide the full card number JWT + BIN (card). It will be truncated to become the BIN in the response.

Device data initialization example request

POST https://try.access.worldpay.com/verifications/customers/3ds/deviceDataInitialization

Copied!
{
    "transactionReference": "unique-transactionReference",
    "merchant": {
        "entity": "default"
    }
}
{
    "transactionReference": "unique-transactionReference",
    "merchant": {
        "entity": "default"
    },
    "paymentInstrument": {
        "type": "card/tokenized",
        "href": "https://try.access.worldpay.com/tokens/MTIzNDU2Nzg5MDEyMzQ1Ng"
    }
}
{
    "transactionReference": "unique-transactionReference",
    "merchant": {
        "entity": "default"
    },
    "paymentInstrument": {
        "type": "card/front",
        "cardHolderName": "John Appleseed",
        "cardNumber": "4444333322221111",
        "cardExpiryDate": {
            "month": 5,
            "year": 2035
        }
    }
}
ParameterMandatoryDescription
transactionReferenceA unique reference for device data JWT request. for example, e-commerce order code.
merchant.entityUsed to route the request in Access Worldpay, created as part of on-boarding.
paymentInstrument.typeAn identifier for the paymentInstrument being used.

type : card/fronttype : card/tokenized

Device data initialization response

To understand what these outcomes mean and how to reproduce them for testing purposes see3DS testing

Copied!
{
    "outcome": "initialized",
    "transactionReference": "unique-transactionReference",
    "deviceDataCollection": {
        "jwt": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJPcmdVbml0SWQiOiJPcmdVbml0IiwiaXNzIjoiYXBpSWQiLCJleHAiOjE1NjI5MjMzNDYsImlhdCI6MTU2MjkyMzQwNiwianRpIjoiYTAzMWVhOGEtN2E0Zi00YTQwLWI1NjMtOTUzMzYzMzVhZGNmIn0.0IK74OIXBxFsxqeOURJz1TFnz14ZTbFJTdTWo9cHUJQ",
        "url": "https://ddcUrl.example.com",
        "bin": "555555"
    },
    "_links": {
        "3ds:authenticate": {
            "href": "https://try.access.worldpay.com/verifications/customers/3ds/authentication"
        },
        "curies": [{
            "href": "https://try.access.worldpay.com/rels/verifications/customers/3ds/{rel}",
            "templated": true,
            "name": "3ds"
        }]
    }
}
ParameterDescription
deviceDataCollection.jwtA digitally signed token that contains additional details required for DDC.
Expires in 10 minutes.
deviceDataCollection.urlA POST action on the DDC form. Used to redirect to the issuers DDC page.
deviceDataCollection.binFirst six digits of the card number (Bank Identification Number), used as part of DDC. Returned if a token resource or card number is included in the request.

Device Data Collection (DDC)

Once you have the JWT and BIN you can create and submit the DDC form.

Create an iframe with an automatic form post in order for the issuer to collect the customer's browser device data (fingerprint). A SessionId representing this collection is then used as part of the risk analysis by the issuer in theauthentication request.

Device Data Collection form

Here's an example of how you would set-up the DDC form in an iframe.

Copied!
<iframe height="1" width="1" style="display: none;">

    <!-- Set the action to the value in the 'deviceDataCollection.url' from the device data initialization response --->
    <form id="collectionForm" name="devicedata" method="POST" action="https://ddcUrl.example.com">

      <input type="hidden" name="Bin" value="555555" />
      <!-- Use value from 'deviceDataCollection.bin' from the device data initialization response or add the card number -->

      <!-- Set to the value of 'deviceDataCollection.jwt' from the device data initialization response  --->
      <input type="hidden" name="JWT" value="eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJPcmdVbml0SWQiOiJPcmdVbml0IiwiaXNzIjoiYXBpSWQiLCJleHAiOjE1NjI5MjMzNDYsImlhdCI6MTU2MjkyMzQwNiwianRpIjoiYTAzMWVhOGEtN2E0Zi00YTQwLWI1NjMtOTUzMzYzMzVhZGNmIn0.0IK74OIXBxFsxqeOURJz1TFnz14ZTbFJTdTWo9cHUJQ" />

      <script>
      window.onload = function() {
        document.getElementById('collectionForm').submit();
      }
      </script>

    </form>
</iframe>

Device Data Collection postMessage

Once the DDC form is submitted and is successfully sent to the card issuer, you are notified via apostMessageevent.

For security, verify the sender's identity using the postMessage origin property as detailedhere.

EnvironmentOrigin
Tryhttps://secure-test.worldpay.com/
Productionhttps://centinelapi.cardinalcommerce.com

An example postMessage response:

Copied!
{
  "MessageType": "profile.completed",
  "SessionId": "0_3XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX6b5",
  "Status": true
}
KeyValue
messageTypeprofile.completed
SessionIdUUID, not present or undefined
Status
  • true - Use the SessionId value in deviceData.collectionReference as part of theAuthentication request
  • false - SessionId is empty. Either retry DDC or send the authentication request without the deviceData.collectionReference. This downgrades the authentication to 3DS1.

Note: If no postMessage is provided either retry DDC or send theAuthentication requestwithout the deviceData.collectionReference. This downgrades the authentication to 3DS1.

Next steps


Authentication